We’re only a few weeks into 2021, but the year promises to bring significant change to the regulatory landscape governing data privacy and cybersecurity. The incoming federal administration will likely shift defense policies and have a new vision for how government agencies should deal with cybersecurity challenges.
At the same time, data breaches are still making headlines. And as COVID-19 case numbers continue to surge across the United States and around the globe, growing numbers of Americans have become aware of the ways their personal data could make a valuable contribution to the fight against the pandemic — or be co-opted for questionable or unethical purposes — depending upon how it’s handled in the digital contact tracing platforms that are becoming as commonplace as mobile devices. All in all, public awareness of data privacy’s importance has skyrocketed.
The more attention the public pays to an issue, the more likely it is to attract the notice of regulators. Furthermore, increasingly stringent laws protecting consumer privacy rights were already being passed by state legislatures before the outbreak of the coronavirus pandemic. Here at BTB, we believe that these already in-progress trends are likely to continue and even accelerate over the course of 2021.
This means that business stakeholders will need to think carefully about how to keep up with the evolution of the regulatory landscape. Adhering to cybersecurity best practices will be essential for organizations who wish to steer clear of negative publicity, lawsuits and fines.
With that said, here are a few of our predictions for the coming year.
Growing numbers of states will enact statues resembling the California Consumer Privacy Act (CCPA).
Since the CCPA came into effect on January 1, 2020, at least a dozen additional states, from Colorado to New York and Massachusetts to Maine, have introduced “copycat” legislation. These laws are intended to protect consumer privacy and give individuals greater control over what types of information can be collected about or from them, and how it can be stored and used.
The CCPA follows in the footsteps of the European Union’s General Data Protection Regulation (GDPR), which a set of technical controls as well as policies and procedure that organizations storing or handling personal data from E.U. residents must have in place. Organizations found noncompliant — including some located outside of the E.U.’s borders — have faced hefty fines.
As more and more consumers and policymakers come to believe that individuals can and should have control over what happens to their data, we expect to see increasing numbers of similar regulations at the state and local level here in the U.S.
Like the CCPA, many of these regulations will impact businesses outside the state where the law was passed, since their provisions stipulate that all for-profit businesses handling or storing the state’s residents’ data and meeting certain criteria must comply. Any business that meets or exceeds the annual gross revenue levels stated in the law ($25 million), that derives profit from selling the personal information (PI) of 50,000 or more California residents, or that derives more than 50% of its annual revenue from consumer PI sales can face fines for failing to adhere to the CCPA. This is true regardless of that business’s location.
These regulations will be enforced with heftier fines, particularly for organizations that are found to be deliberately negligent.
As growing numbers of companies make good-faith efforts to adhere to regulatory requirements, those that do not are likely to face increasingly severe consequences.
Additionally, organizations that aren’t proceeding thoughtfully — drafting privacy policies that err on the side of caution and making appropriate investments in technology and employee training — can expect penalties. CCPA penalties begin at $2,500 per violation, but automatically increase to $7,500 per violation in cases where the California Attorney General has reason to believe the negligence was intentional.
New payment card security standards are coming.
While we don’t know exactly which changes the next version of the Payment Card Industry Data Security Standard (PCI DSS) will bring, we do know that version 4.0 is expected to be released in mid- to late 2021. And we’re confident that the new PCI requirements won’t be any less stringent than the current ones.
Possible additions to the core PCI DSS requirements include calling for organizations to implement more stringent controls in areas like multi-factor authentication (MFA), access control procedures, encryption or more advanced security monitoring. Once the new version of PCI is introduced, organizations will have an 18-month transition period to bring themselves into full compliance.
More organizations will try harder to be good stewards of their customers’ data.
While there’s room for debate about exactly what industry-leading practitioners should be doing to raise the bar, there’s no question that adhering to basic cybersecurity best practices can go a long way when it comes to protecting your organization from being fined or, worse yet, being convicted in the court of public opinion.
Implementing the right technical controls, such as MFA and data encryption, is important, but so too is maintaining appropriate governance, particularly when it comes to making organizational decisions around activities involving personal data and privacy. For instance, can a department in your organization independently implement new attribution-tracking software that stores customer names without security requirements being defined and managed? Organizations that proceed thoughtfully, involve stakeholders, and integrate privacy decisions into the designs of their new initiatives are better positioned to navigate issues related to data security and privacy risk.
More and more stakeholders in risk management have come to understand that maintaining regulatory compliance should not be the overarching objective of their governance and security programs, but rather a minimum baseline requirement.
Would you like to learn more about how you can bolster your organization’s approach to risk management? Check out BTB’s comprehensive portfolio of governance, risk management and compliance services.